[Geoserver-users] Layer security and CAS

GeoServer GeoServer User
1

Hi All,

After what we saw and discussed at FOSS4G, we are considering using
GeoServer as our one-point stop for geo services. We are currently
developing a PHP/Java (leaning more towards Java as it evolves)
information system in which a OpenLayers (previously Pmapper) map is
displayed in an iframe. Our application currently handles
authentication and authorization for the general information it manages,
but we currently have no way of managing auth/auth on map layers (what
group/roles can view or edit map layers etc.). Now, we do not want to
add map layer auth/auth to our application. Rather, we want to use a
service to do that, whence our need to use external pieces of software
for auth/auth.

We are at the point of considering how to create a Java mapping service
that would serve as middleware between OL and GeoServer. What we
envisage at this point is to send a request that includes some token
from our application to that middleware. Using that token, the
middleware would :

1) fetch map layers from GeoServer
2) determine what the user is allowed to do for each layer (read or
edit, for example, as a function of some configuraton file) and generate
a complete html file accordingly (i.e. with all the required OpenLayers
JavaScript including all buttons and OL controls).

Did someone in the GeoServer community ever have to deal with such
issues ? Does the GeoServer project have plans regarding auth/auth ? We
think that using a CAS server would be an appropriate way to go about
managing the token/ticket. We haven't played yet with CAS or OpenLDAP
so we are seeking directions or pointers as to how to go about this.
The CAS web site currently has lots of 404 on the docs hyperlink so any
pointer showing use of an SSO solution with GeoServer would be greatly
appreciated. We are willing to contribute our code to the community on
this or to collaborate on an ongoing activity.

Cheers,

Yves Moisan for the Borealis team.

2

Hi Yves,

a month or so ago, I was discussing about user authentication in the list [1]. I was thinking, because Geoserver already has Acegi layer/service level authentication and integration with Acegi and OpenLdap should be well possible, that OpenLdap security implementation could be carried out.
Unfortunately, I am afraid that I don't have the needed skills for that, but Andrea Aime promised to anyway deliver some instructions of how one could accomplish that. He promised to do that right after the stable 1.7 is released.

Obviously you are working a bit higher level of what my needs are, but I was thinking that maybe the discussion of mine might benefit you somehow. I do my security on container basis now (Tomcat/OpenLdap), but would need layer level security.

with best regards,
Mika Lehtonen

http://www.nabble.com/user-authentication-to19252162.html#a19252162

Yves Moisan kirjoitti:

Hi All,

After what we saw and discussed at FOSS4G, we are considering using
GeoServer as our one-point stop for geo services. We are currently
developing a PHP/Java (leaning more towards Java as it evolves)
information system in which a OpenLayers (previously Pmapper) map is
displayed in an iframe. Our application currently handles
authentication and authorization for the general information it manages,
but we currently have no way of managing auth/auth on map layers (what
group/roles can view or edit map layers etc.). Now, we do not want to
add map layer auth/auth to our application. Rather, we want to use a
service to do that, whence our need to use external pieces of software
for auth/auth.

We are at the point of considering how to create a Java mapping service
that would serve as middleware between OL and GeoServer. What we
envisage at this point is to send a request that includes some token
from our application to that middleware. Using that token, the
middleware would :

1) fetch map layers from GeoServer
2) determine what the user is allowed to do for each layer (read or
edit, for example, as a function of some configuraton file) and generate
a complete html file accordingly (i.e. with all the required OpenLayers
JavaScript including all buttons and OL controls).

Did someone in the GeoServer community ever have to deal with such
issues ? Does the GeoServer project have plans regarding auth/auth ? We
think that using a CAS server would be an appropriate way to go about
managing the token/ticket. We haven't played yet with CAS or OpenLDAP
so we are seeking directions or pointers as to how to go about this.
The CAS web site currently has lots of 404 on the docs hyperlink so any
pointer showing use of an SSO solution with GeoServer would be greatly
appreciated. We are willing to contribute our code to the community on
this or to collaborate on an ongoing activity.

Cheers,

Yves Moisan for the Borealis team.

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
  

3

Yves Moisan ha scritto:

Hi All,

After what we saw and discussed at FOSS4G, we are considering using
GeoServer as our one-point stop for geo services. We are currently
developing a PHP/Java (leaning more towards Java as it evolves)
information system in which a OpenLayers (previously Pmapper) map is
displayed in an iframe. Our application currently handles
authentication and authorization for the general information it manages,
but we currently have no way of managing auth/auth on map layers (what
group/roles can view or edit map layers etc.). Now, we do not want to
add map layer auth/auth to our application. Rather, we want to use a
service to do that, whence our need to use external pieces of software
for auth/auth.

We are at the point of considering how to create a Java mapping service
that would serve as middleware between OL and GeoServer. What we
envisage at this point is to send a request that includes some token
from our application to that middleware. Using that token, the
middleware would :

1) fetch map layers from GeoServer
2) determine what the user is allowed to do for each layer (read or
edit, for example, as a function of some configuraton file) and generate
a complete html file accordingly (i.e. with all the required OpenLayers
JavaScript including all buttons and OL controls).

Did someone in the GeoServer community ever have to deal with such
issues ? Does the GeoServer project have plans regarding auth/auth ?

Well, per layer security does exactly that, provides authentication
and authorization. For the moment we have no short term plans to
extend the security subsystem beyond what we have right now, but
Acegi offers quite an interesting (and untapped) expansion potential.
Some changes in the code are necessary in order to turn authentication
into an extension point. At the moment only layer level authorization
can be overriden with a custom one by writing a plugin.

We
think that using a CAS server would be an appropriate way to go about
managing the token/ticket. We haven't played yet with CAS or OpenLDAP
so we are seeking directions or pointers as to how to go about this.

I know that Acegi has CAS integration, but I never looked deeply into
it. What I could do is to provide you with an extension point so that
you can plugin a different authentication system, doing so at the
level of verfying username/password should be easy, allowing an
authorisation system other than HTTP basic authentication is a different
story, still possible but harder.

The CAS web site currently has lots of 404 on the docs hyperlink so any
pointer showing use of an SSO solution with GeoServer would be greatly
appreciated. We are willing to contribute our code to the community on
this or to collaborate on an ongoing activity.

Well, I'd suggest you have a look at the Acegi reference documentation
and see what it takes to secure a generic application with CAS, then
we can look into what needs to be done in order to add that kind of
authentication to GeoServer as a plugin.

Cheers
Andrea

--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.

4

Thanx Andrea and Chris and all the others who answered. I'll do my due
diligence and come back.

Cheers,

Yves Moisan

5

Hi Andrea,

You answered a question regarding Geoserver-CAS integration in early
October. There, you mentioned that the layer level authorization could be
overridden as a plugin. I know how to configure Acegi for CAS (I actually
configured Spring Security for CAS, and read the Acegi reference guide).
Could you please give me some hints on how to start developing the plugin
for layer level authorization so that it asks CAS server for tickets while
granting/denying users' access to layers?

Thanks in advance,
Majid

Yves Moisan wrote:

Thanx Andrea and Chris and all the others who answered. I'll do my due
diligence and come back.

Cheers,

Yves Moisan

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
View this message in context: http://old.nabble.com/Layer-security-and-CAS-tp19882409p26474348.html
Sent from the GeoServer - User mailing list archive at Nabble.com.